Organizations today are subject to a variety of regulations related to computer systems within the organization. Often, organizations undergo regular auditing to verify compliance with these regulations. General guidelines have been established for systems within an organization. For example, the Control Objectives for Information and related Technology (COBIT) is a set of recommended practices (i.e., a framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes, and recommended practices to assist them in improving the benefits derived from information technology and developing appropriate IT governance and control in an organization. For example, some practices specify the applications that are allowed to run or that each computer system has up to date antivirus software. Other regulations govern specific industries. For example, the Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress in 1996 contains provisions that require health care providers to protect the privacy of patient information. These provisions extend to data stored on a health care provider's computer systems, and organizations often seek to verify the organization's compliance with such regulations.
Non-compliant systems are those computing systems within an organization that do not comply with one or more regulations placed in effect by the organization. There are two priorities that an organization typically has with respect to non-compliant computer systems. First, the organization wants to isolate non-compliant systems from compliant systems, to avoid spreading a problem or avoid unauthorized access to sensitive organizational data. For example, if a non-compliant computer system has a computer virus, the organization wants to avoid that virus spreading to other computer systems within the organization. Second, the organization wants to bring the non-compliant computer system back into compliance. This ensures that the user of the non-compliant computer system receives the level of service from the organization's IT resources that the user expects. For example, the user may expect to be able to access a corporate email server to check email, but for the security of other systems may be prevented from doing so if there is a problem with compliance.
Most compliance applications today focus on remotely auditing and detecting violations of the types of regulations or recommended practices noted above. These applications may routinely scan an organization's network from a central server to evaluate each computer system's compliance with a recommended practice. The applications often generate a report that IT personnel review and act upon. For example, the IT personnel may communicate with a user of a non-compliant computer system or block the non-compliant computer system from accessing certain resources (e.g., a corporate network). Existing systems provide a lot of information, but generate a correspondingly high burden on IT personnel that later consume the information and act upon it. For this reason, enterprises typically lack visibility into the effectiveness of their IT controls, which are designed to meet their business objectives and regulatory needs. Data that exists is often misaligned or disconnected from policies, regulations, and business and IT objectives.
In addition, the remote scanning process is limited by the bandwidth and computational resources of the central server, and does not scale well to large organizations (e.g., with thousands of computer systems). Even organizations that install agents on each computer system that maintain compliance (e.g., antivirus applications) are not completely safe. The agents reduce the burden on the central server, but can be installed and disabled by a user with high privilege. Agents that run on computer systems compete for memory and CPU when idle, which has a negative effect on the computer system's performance. Lastly, the longer the agent has been running on a computer system, the higher the chance of the agent being compromised and its data being manipulated.